From alertmailinglist at skiifwrald.com Thu Mar 11 19:38:31 2010 From: alertmailinglist at skiifwrald.com (Security and IT News Alerts) Date: Thu, 11 Mar 2010 20:08:31 +1030 Subject: [Sunnet Alert] Advisory #276 - Microsoft (Multiple), Multiple News Message-ID: <0D1A5AAB-4879-4AD7-BAE9-8A1BBB9F24B4@beskerming.com> S?nnet Beskerming Alert List Advisory #276 You are receiving this message because you have subscribed to our Information Security Alert Mailing List, or have been selected for a specific one-off copy. If you believe that you are receiving this message in error,pleasecontactinfo at beskerming.com to resolve the error. Why not upgrade to get same day notification on security threats? Details and rates available online - (http://www.beskerming.com/premium/generic_advisory.html). Why not go the next step and get delivery tailored just for your company? (http://www.beskerming.com/premium/focussed_advisory.html) Once you've had a chance to read through this advisory, come back and answer the following question. Did you like the timeliness of the advisory? Our premium subscribers get this sort of service on every advisory - same day coverage of security discoveries and full details on all external tracking data that we have discovered, to help keep you informed and form a well-rounded opinion and assessment of the risk to you, your systems, and your data. Contents -------------------------------------------------------------------- 1. SECURITY -------------------------------------------------------------------- 1.1 Microsoft (Multiple) - Remote Hacker Automatic Control - Time Since Discovery - 3 Days ======================================= /* - Remote or Local - Can it be achieved through a network or does it require physical access? - Hacker - The bad guy - Manual or Automatic - Does the vulnerability need to be manually performed, or can it be automated? - Control, Denial of Service or Data Theft - Will the hacker get control of your system / website, will they prevent you from using it, or will they steal data. */ -------------------------------------------------------------------- 2. NEWS -------------------------------------------------------------------- 2.1 Anonymous to take Protesting Into Physical World 2.2 MS10-015 Issues Confirmed to be Caused by Alureon Rootkit 2.3 Internet Explorer, Help files, and VBScript - Remote Code Execution Allowed ===================================== 1. SECURITY 1.1 Microsoft Windows - Remote Hacker Automatic Control -- Products Affected -- Windows, Office -- Technical Description -- MS10-016 - Windows. Remote code execution. Important MS10-017 - Office. Remote code execution. Replaces MS09-067, MS09-021. Important -- Description -- Microsoft have released two advisories as part of the March Security Bulletin release, in line with what they identified in the Advance Notification last week. Both advisories are for remote code execution vulnerabilities, one with Windows and the other with Office. Despite both being for remote code execution vulnerabilities, they are only listed as Important since they require user interaction for any exploit to work. -- Recommended Action -- All users and administrators should apply the updates at the earliest opportunity. -- Source -- http://www.microsoft.com/technet/security/bulletin/ms10-mar.mspx http://www.beskerming.com/services/176/Patch_Briefing http://store.eSellerate.net/s.asp?s=STR3448907936&Cmd=CATALOG&CategoryID=9811 -- Updates Available -- http://www.microsoft.com/technet/security/bulletin/ms10-016.mspx http://www.microsoft.com/technet/security/bulletin/ms10-017.mspx -- External Tracking Data -- CVE-ID: CVE-2010-0265 (MS10-016) CVE-ID: CVE 2010-0257 (MS10-017) CVE-ID: CVE 2010-0258 (MS10-017) CVE-ID: CVE 2010-0260 (MS10-017) CVE-ID: CVE 2010-0261 (MS10-017) CVE-ID: CVE 2010-0262 (MS10-017) CVE-ID: CVE 2010-0263 (MS10-017) CVE-ID: CVE 2010-0264 (MS10-017) -- Threat Matrix -- U O Home User 8 8 (Critical) Corporate 8 8 (Critical) ======================================= /* Threat Matrix: U - User O - Operator Harmless - 0 ----- 10 - Highly Critical */ ======================================= 2. NEWS 2.1 Anonymous to take Protesting Into Physical World When Anonymous first targeted the Australian Government over proposed Internet censorship, there wasn't much of a result, but the second round of attacks had more effect recently, successfully using dDoS attacks to target and temporarily disable several federal government websites. This weekend, the protests will enter the physical world, with various protests being planned for February 20 around Australia, and with calls for similar protests at Australian embassies across the globe. With the generally apathetic viewpoint that many Australians take to the issues being protested, the protests may not attract many people, and are bound to attract only minor press attention, if only for the name of the protest (Operation Titstorm). With a federal election due this year it is unlikely that any real progress will be seen on loosening the noose that is being slowly applied to Australian internet access. Both major parties were supporters of the idea of Internet filtering before the last election, and both continue to support the idea in the lead up to this election. There is some hope for people opposed to the current forms of media classification and censorship in Australia, with South Australia also set to hold an election this year. The South Australian Attorney General is seen as the reason why games do not have an R or equivalent rating, instead being capped at MA15+. This has meant some games are either refused classification (RC) or not even offered for sale in Australia, limiting the opportunity for a maturing population of Australian gamers to access these titles legally. Game retailers have begun an awareness campaign, alongside a number of community based drives, to make the public aware of this situation and there are a growing number of people who find this situation unwanted. On and offline protests by Anonymous and a growing number of publicly dissatisfied Australian gamers may not be enough to see any real changes enacted with the coming state and federal elections in Australia, but they are a starting point for greater future awareness. If recent history in Europe is any indicator, there may be a couple of surprises from political groups focussed on keeping as much freedom in the Internet as possible. It probably won't directly affect the major parties strength in parliament, but their presence on the ballots will at least force the major parties to consider the arguments being made by the new groups. 2.2 MS10-015 Issues Confirmed to be Caused by Alureon Rootkit When Microsoft released their February Security Bulletins, there were reports that one of the bulletins, MS10-015 was leading to blue screens on rebooting for some Windows XP systems. Advice was quickly pushed out by a number of sources that allowed users to rollback the bulletin and get some functionality back with their system, and Microsoft began taking a closer look at the issue. It has now been confirmed that the issue encountered was a result of malware infection, as many had suspected. The particular malware family identified is the Alureon rootkit. The blue screen that results after applying MS10-015 is due to the changes the rootkit has made to the Windows kernel, leaving it unstable and eventually broken following the changes MS10-015 makes within the Windows kernel. The referenced MSRC blog post specifically identifies that the Alureon rootkit looks for a specific memory address to access Windows code. When MS10-015 changed the location of that code, it left Alureon without the function it was trying to call and it resulted in system instability and the blue screen crashes. Further remediation advice has been provided by Microsoft's Malware Protection Center, which points out that recovering from the rolling reboot / blue screen issue caused by Alureon can be as simple as overwriting the corrupted / infected system driver with a known clean copy. The most common system driver affected by this particular rootkit is atapi.sys. The malware authors have also responded to the issue and have updated their rootkit to no longer point to hardcoded memory locations, meaning new installations of the rootkit will no longer blue screen Windows XP systems. 2.3 Internet Explorer, Help files, and VBScript - Remote Code Execution Allowed Microsoft have recently identified an odd vulnerability that utilises VBScript via Internet Explorer to run arbitrary code, all through seemingly-innocuous help files. From Microsoft's Advisory, any successful exploit requires user interaction, getting the user to press the F1 key after being prompted by a dialog box, nominally bringing up the help function. A weakness in the interaction of VBScript and Windows Help files when using Internet Explorer is the root cause of the vulnerability. Vulnerable systems include Windows 2000, XP, and 2003 and with the vulnerability having been disclosed publicly before Microsoft were made aware of it, there is a higher risk of successful exploitation than with Microsoft's normal vulnerability disclosure and patching methods. At this stage, there are not any reported attacks making use of this vulnerability. Mitigating the risk of compromise is the requirement for user interaction, with successful attack only gaining the rights of the current user. Microsoft's suggested workarounds include not pressing the F1 key when prompted by a website, restricting access to the Windows Help System (effectively disabling it system-wide), and changing the security and scripting settings within Internet Explorer. Relying on user behaviour not to press a key when prompted, and effectively neutering much of the Internet don't really seem like viable long term workarounds for the vulnerability. With the Security Bulletins for March only a week away, it is unlikely that a patch will be available in this month's release. ======================================= Sincerely, S?nnet Beskerming Team info at beskerming.com S?nnet Beskerming Pty. Ltd. Adelaide, Australia http://www.beskerming.com Tel: +61 (0) 410 707 444 ** S?nnet Beskerming Pty. Ltd. ** Established in mid 2004, S?nnet Beskerming Pty. Ltd. is the sister company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and commercialise the research coming out of Jongsma & Jongsma Pty. Ltd.. S?nnet Beskerming Pty. Ltd. is an Information Security specialist and, in conjunction with the tools developed by Jongsma & Jongsma Pty. Ltd., provides total security solutions and services, from the perimeter to internal data stores, including web application security and security testing and analysis.